What are syslog facility codes and what is a selector?
Facility = which subsystem produced the message; the selector combines facility and severity as (facility × 8) + severity.
Every syslog message carries two classifiers. Severity is how bad it is (0–7); facility is where it came from — the kernel, the mail system, cron, auth, etc. Together they let rules route and filter messages by both origin and urgency.
| Code | Facility | Source |
|---|---|---|
| 0 | kern | Kernel |
| 1 | user | User-level programs |
| 2 | Mail system | |
| 3 | daemon | System daemons |
| 4 | auth | Security / authentication |
| 5 | syslog | Syslog itself |
| 9 | cron | Cron daemon |
| 10 | authpriv | Private (sensitive) auth |
The selector (a.k.a. PRI value) packs both into one integer so it fits in the message header: selector = facility × 8 + severity. Multiplying by 8 just shifts the facility into the high bits, leaving the low 3 bits (0–7) for severity.
Worked example: <165> decodes as facility 20 (local4) and severity 5 (Notice), because 20 × 8 + 5 = 165. To reverse it: 165 ÷ 8 = 20 remainder 5.
Where you actually use facilities — rsyslog routing rules in /etc/rsyslog.conf use facility.severity selectors:
authpriv.* /var/log/secure # all auth messages, any severity
*.err /var/log/errors # errors-or-worse from every facility
Go deeper:
Syslog — facility (Wikipedia) — the facility-code table (kern, mail, cron, authpriv…) the selector combines with severity.